Advantages That an RODC Can Provide to an Existing Deployment Branch office server administration. RODCs provide Administrator Role Separation (ARS), which you can use to delegate administration of an RODC to a nonadministrative user or group. This means that it is not necessary for a highly privileged administrator to log on to the domain controller in the branch office to perform routine server maintenance.

When you initially deploy an RODC, you must configure the Password Replication Policy

on the writable domain controller that will be its replication partner.

The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently.

The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline.

Password Replication Policy Allowed and Denied lists Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password Replication Group.

The combination of the Allowed List and Denied List attributes for each RODC and the domain-wide Denied RODC Password Replication Group and Allowed RODC Password Replication Group give administrators great flexibility. They can decide precisely which accounts can be cached on specific RODCs.

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Question No: 132 – (Topic 2)

You are decommissioning one of the domain controllers in a child domain.

You need to transfer all domain operations master roles within the child domain to a newly installed domain controller in the same child domain.

Which three domain operations master roles should you transfer? (Each correct answer presents part of the solution. Choose three.)

Transferring an operations master role means moving it from one domain controller to another with the cooperation of the original role holder. Depending upon the operations master role to be transferred, you perform the role transfer using one of the three Active Directory consoles in Microsoft Management Console (MMC).

snapshot Manages snapshots of the volumes that contain the Active Directory database and log files, which you can view on a domain controller without starting in Directory Services Restore Mode (DSRM). You can also run the snapshot subcommand on an Active Directory Lightweight Directory Services (AD LDS) server.

This is a subcommand of Ntdsutil and Dsdbutil. Ntdsutil and Dsdbutil are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2.

To perform offline critical updates on CKDC1 without rebooting the server, you should stop the Active Directory domain services and install the updates. Start the Active Directory domain services after installing the updates.

By stopping the Active Directory domain services, you don’t need to reboot the server. The updates are related to the Windows Server 2008 on CKDC1 so when you stop the Active Directory domain services and start it again after the installation of the updates, the Server will perform in a normal way.

Question No: 135 – (Topic 2)

Your company asks you to implement Windows Cardspace in the domain. You want to use Windows Cardspace at your home.

Your home and office computers run Windows Vista Ultimate.

What should you do to create a backup copy of Windows Cardspace cards to be used at home?

Microsoft Windows CardSpace鈩?is a system for creating relationships with websites and online services.

Windows CardSpace provides a consistent way for: Sites to request information from you.

You to review the identity of a site.

You to manage your information by using Information Cards. You to review card information before you send it.

Windows CardSpace can replace the user names and passwords that you use to register with and log on to websites and online services.

15. How do I back up my cards or transfer them to another computer?

Cards are stored on your computer in an encrypted format. To save a backup file containing some or all of your cards or to use a card on a different computer, you can save cards to a backup card file.

To back up your cards:

Start Windows CardSpace.

View all your cards.

In the pane on the right of your screen, click Back up cards.

Select the cards that you want to back up.

Browse to the folder where you want to save the backup card file, and then give it a name.

When you complete these steps, you save a file containing some or all of your cards. You can copy the backup card file to media such as a Universal Serial Bus (USB) storage device, CD, or other digital media. You can restore the backup card file on this computer or on another computer.

To restore your cards

Save the backup card file to the computer.

Browse to the location of the file on the computer.

Double-click the file, and then follow the instructions to restore the cards.

Question No: 136 – (Topic 2)

One of the remote branch offices is running a Windows Server 2008 read only domain controller (RODC). For security reasons you don#39;t want some critical credentials like (passwords, encryption keys) to be stored on RODC.

What should you do so that these credentials are not replicated to any RODC#39;s in the forest? (Select 2)

Configure RODC filtered attribute set on the server

Configure RODC filtered set on the server that holds Schema Operations Master role.

Delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain

http://technet.microsoft.com/en-us/library/cc753223.aspx Adding attributes to the RODC filtered attribute set

The RODC filtered attribute set is a dynamic set of attributes that is not replicated to any RODCs in the forest. You can configure the RODC filtered attribute set on a schema master that runs Windows Server

2008. When the attributes are prevented from replicating to RODCs, that data cannot be exposed unnecessarily if an RODC is stolen or compromised.

A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2008, the replication request is denied. However, if the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003, the replication request could succeed.

Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to configure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODC that is compromised cannot be exploited in this manner because domain controllers that are running Windows Server 2003 are not allowed in the forest.

Active Directory supports multimaster replication of the directory data store between all domain controllers (DC) in the domain, so all domain controllers in a domain are essentially peers. However, some changes are impractical to perform in using multimaster replication, so, for each of these types of changes, one domain controller, called the operations master, accepts requests for such changes.

In every forest, there are at least five operations master roles that are assigned to one or more domain controllers. Forest-wide operations master roles must appear only once in every forest. Domain-wide operations master roles must appear once in every domain in the forest.

RID master

The RID master allocates sequences of relative IDs (RIDs) to each of the various domain controllers in its domain. At any time, there can be only one domain controller acting as the RID master in each domain in the forest.

Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID (SID). The SID consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain.

To move an object between domains (using Movetree.exe), you must initiate the move on the domain controller acting as the RID master of the domain that currently contains the object.

It is equivalent to doing the following in the CertMgr.msc console (in Vista and Windows 7) Right-click Certificates , point to All Tasks , click Automatically Enroll and Retrieve Certificates.

The command does require that

any autoenrollment GPO settings have already been applied to the target user or computer

a certificate template enables Read, Enroll and Autoenroll permissions for the user or a global or universal group containing the user

The group membership is recognized in the users Token (they have logged on after the membership was added

http://technet.microsoft.com/library/cc732443.aspx Certutil

Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

When certutil is run on a certification authority without additional parameters, it displays the current certification authority configuration. When cerutil is run on a non-certification authority, the command defaults to running the certutil -dump verb.

Verbs

The following table describes the verbs that can be used with the certutil command. pulse

AD RMS client capabilities are embedded in the operating system of Windows Mobile 6 and later devices. There is no AD RMS client available for Windows Mobile 5.0 or earlier; AD RMS can be used only on devices with Windows Mobile 6 and later. There is full interoperability when sharing AD RMS protected content between the different versions and editions of Windows Mobile 6 or later.

By default the Discretionary access control lists (DACLs) of the AD RMS mobile certification pipeline is restricted and must be enabled for Windows Mobile 6 or later devices to obtain certificates and licenses to create and consume AD RMS protected content. You can enable the certification of mobile devices by giving the AD RMS Service Group and the user account objects of the AD RMS-enabled application Read and Read amp; Execute permissions to the MobileDeviceCertification.asmx file. This file is located under

%systemdrive%\Inetpub\wwwroot\_wmcs\Certification by default. You must complete this process on each AD RMS server in the cluster.

Question No: 140 – (Topic 2)

Company has an Active Directory forest with six domains. The company has 5 sites. The company requires a new distributed application that uses a custom application directory partition named ResData for data replication.

The application is installed on one member server in five sites.

You need to configure the five member servers to receive the ResData application directory partition for data replication.